CVE-2024-21669 in aries-cloudagent
Summary
by MITRE • 01/11/2024
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/28/2024
The vulnerability identified as CVE-2024-21669 affects Hyperledger Aries Cloud Agent Python (ACA-Py), a critical component in decentralized identity infrastructure that facilitates building identity applications for non-mobile environments. This flaw resides in the verification process of W3C Format Verifiable Credentials that utilize JSON-LD with Linked Data Proofs, representing a fundamental weakness in the credential validation mechanism. The issue manifests when the system fails to properly incorporate the verification result of the presentation document.proof into the final verified value calculation, creating a critical gap in the integrity checking process that undermines the core security assurances of the decentralized identity framework.
The technical implementation flaw stems from the incomplete validation logic within ACA-Py's credential verification pipeline, specifically where the system processes JSON-LD Linked Data Proofs for W3C Format Verifiable Credentials. When a presentation is submitted with a proof structure, the system correctly validates the proof component but fails to properly aggregate this verification result into the overall presentation record's verified status. This creates a scenario where malicious actors can construct presentations with invalid or manipulated proofs that still appear valid to the system, as the final verification flag remains incorrectly set to true even when individual proof components have failed validation. The vulnerability exists in the logical flow that determines whether to set the verified field to true or false, essentially allowing proof verification failures to be silently ignored during the final presentation record evaluation.
The operational impact of this vulnerability is severe and directly threatens the integrity of decentralized identity systems that rely on ACA-Py for credential verification. Attackers can exploit this weakness by presenting W3C Format Verifiable Credentials with malformed proofs that bypass the verification process entirely, effectively enabling credential fraud and replay attacks. The malicious verifier can then store and reuse these presentations as if they were legitimate, creating a persistent threat where unauthorized parties can impersonate legitimate credential holders. This vulnerability particularly affects systems where verifiers rely on the verified field to make trust decisions, as the false positive results can lead to unauthorized access to services or resources that should only be available to legitimate credential holders. The issue has persisted since version 0.7.0, indicating a prolonged exposure period where affected systems were vulnerable to this type of attack.
The security implications align with CWE-284 Access Control Issues and can be mapped to ATT&CK technique T1552.001 for credential access and T1566.001 for credential stuffing attacks. Organizations using ACA-Py versions between 0.7.0 and 0.10.4 are at significant risk, as the vulnerability allows for the manipulation of presentation verification results without detection. The fix implemented in version 0.10.5 addresses this by ensuring that the verification status of the document.proof is properly considered when setting the final verified value on presentation records. This remediation restores proper validation logic and ensures that credential presentations with invalid proofs cannot be accepted as valid, thereby protecting the integrity of decentralized identity ecosystems that depend on ACA-Py for secure credential handling. Organizations should urgently upgrade to version 0.10.5 or later and conduct thorough security assessments of their credential verification processes to ensure proper implementation of proof validation mechanisms.